<!DOCTYPE html>



  


<html class="theme-next pisces use-motion" lang="zh-Hans">
<head><meta name="generator" content="Hexo 3.9.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="web,">





  <link rel="alternate" href="/atom.xml" title="Mr.赵" type="application/atom+xml">






<meta name="keywords" content="web">
<meta property="og:type" content="article">
<meta property="og:title" content="ctf基本的文件上传与绕过学习">
<meta property="og:url" content="https://GodPang.github.io/2018/12/04/ctf基本的文件上传与绕过学习/index.html">
<meta property="og:site_name" content="Mr.赵">
<meta property="og:locale" content="zh-Hans">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv4bb911yj31hc0u0e81.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxuoo1fn7aj30re0hjwhm.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxuopj2ev2j30ou0g8grf.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxuoq7b9npj30q60gtdiq.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxuouj166mj30r50imjuw.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxuov8udekj30r80iln0p.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxuoweonj3j30rg0a5taf.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxup0z3iunj30rb0kg0wc.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxup1otp04j30r80b5dhl.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxup4apphxj30n70je0vk.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxup4y5uv2j30n90j641c.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxup5oecwnj30ng0a375i.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxupby7gvlj30lw0gkjtw.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxupccbbhnj30ng0j3jt6.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxupdsgx20j30n90k2tbs.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxupe4pwhrj30n308rq46.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv2upfq87j30jc0grn2o.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv2vvwd36j30j90ebgsb.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv2x3xj5xj30jd0ea7ia.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv2yq1s4wj30jh0eatmf.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv2zedp1gj30jd09x40q.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv33yviy1j30fc0gfdm0.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv34vu95lj30ee03774l.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv35nkki7j30el04an0z.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv39b0llbj30f302ijrp.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3hrtw2lj30f407v0v3.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3iu0higj30jd0b5443.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3nyydhij30jl0bzq59.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3qrxel6j30jh0crae9.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3r20yt8j30ji0cgadx.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3rapl8kj30jh0cujw5.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3vl5am7j30jg0cwq5d.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3szoovcj30jm0f5gyp.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3xm40dfj30jh0ex4bk.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3ypj96uj30jf0f4gs7.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv3zj6gjgj30ja0f9qdv.jpg">
<meta property="og:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv40t1m54j30jh0crjt6.jpg">
<meta property="og:updated_time" content="2018-12-04T15:17:47.093Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="ctf基本的文件上传与绕过学习">
<meta name="twitter:image" content="http://ww1.sinaimg.cn/large/006doHETly1fxv4bb911yj31hc0u0e81.jpg">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/',
    scheme: 'Pisces',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":true,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: '博主'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://GodPang.github.io/2018/12/04/ctf基本的文件上传与绕过学习/">





  <title>ctf基本的文件上传与绕过学习 | Mr.赵</title>
  








</head>

<body itemscope="" itemtype="http://schema.org/WebPage" lang="zh-Hans">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>
    
    <a href="https://GodPang.github.io" class="github-corner" aria-label="View source on Github"><svg width="80" height="80" viewbox="0 0 250 250" style="fill:#151513; color:#fff; position: absolute; top: 0; border: 0; right: 0;" aria-hidden="true"><path d="M0,0 L115,115 L130,115 L142,142 L250,250 L250,0 Z"/><path d="M128.3,109.0 C113.8,99.7 119.0,89.6 119.0,89.6 C122.0,82.7 120.5,78.6 120.5,78.6 C119.2,72.0 123.4,76.3 123.4,76.3 C127.3,80.9 125.5,87.3 125.5,87.3 C122.9,97.6 130.6,101.9 134.4,103.2" fill="currentColor" style="transform-origin: 130px 106px;" class="octo-arm"/><path d="M115.0,115.0 C114.9,115.1 118.7,116.5 119.8,115.4 L133.7,101.6 C136.9,99.2 139.9,98.4 142.2,98.6 C133.8,88.0 127.5,74.4 143.8,58.0 C148.5,53.4 154.0,51.2 159.7,51.0 C160.3,49.4 163.2,43.6 171.4,40.1 C171.4,40.1 176.1,42.5 178.8,56.2 C183.1,58.6 187.2,61.8 190.9,65.4 C194.5,69.0 197.7,73.2 200.1,77.6 C213.8,80.2 216.3,84.9 216.3,84.9 C212.7,93.1 206.9,96.0 205.4,96.6 C205.1,102.4 203.0,107.8 198.3,112.5 C181.9,128.9 168.3,122.5 157.7,114.1 C157.9,116.9 156.7,120.9 152.7,124.9 L141.0,136.5 C139.8,137.7 141.6,141.9 141.8,141.8 Z" fill="currentColor" class="octo-body"/></svg></a><style>.github-corner:hover .octo-arm{animation:octocat-wave 560ms ease-in-out}@keyframes octocat-wave{0%,100%{transform:rotate(0)}20%,60%{transform:rotate(-25deg)}40%,80%{transform:rotate(10deg)}}@media (max-width:500px){.github-corner:hover .octo-arm{animation:none}.github-corner .octo-arm{animation:octocat-wave 560ms ease-in-out}}</style>

    <header id="header" class="header" itemscope="" itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">Mr.赵</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-首页">
          <a href="/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            首页
          </a>
        </li>
      
        
        <li class="menu-item menu-item-关于">
          <a href="/about/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-user"></i> <br>
            
            关于
          </a>
        </li>
      
        
        <li class="menu-item menu-item-标签">
          <a href="/tags/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-tags"></i> <br>
            
            标签
          </a>
        </li>
      
        
        <li class="menu-item menu-item-类别">
          <a href="/categories/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-th"></i> <br>
            
            类别
          </a>
        </li>
      
        
        <li class="menu-item menu-item-归档">
          <a href="/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            归档
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope="" itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://GodPang.github.io/2018/12/04/ctf基本的文件上传与绕过学习/">

    <span hidden itemprop="author" itemscope="" itemtype="http://schema.org/Person">
      <meta itemprop="name" content="GodPang">
      <meta itemprop="description" content="">
      <meta itemprop="image" content="/images/touxiang.jpg">
    </span>

    <span hidden itemprop="publisher" itemscope="" itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="Mr.赵">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">ctf基本的文件上传与绕过学习</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">发表于</span>
              
              <time title="创建于" itemprop="dateCreated datePublished" datetime="2018-12-04T23:09:34+08:00">
                2018-12-04
              </time>
            

            

            
          </span>

          
            <span class="post-category">
            
              <span class="post-meta-divider">|</span>
            
              <span class="post-meta-item-icon">
                <i class="fa fa-folder-o"></i>
              </span>
              
                <span class="post-meta-item-text">分类于</span>
              
              
                <span itemprop="about" itemscope="" itemtype="http://schema.org/Thing">
                  <a href="/categories/ctf学习笔记/" itemprop="url" rel="index">
                    <span itemprop="name">ctf学习笔记</span>
                  </a>
                </span>

                
                
              
            </span>
          

          
            
              <span class="post-comments-count">
                <span class="post-meta-divider">|</span>
                <span class="post-meta-item-icon">
                  <i class="fa fa-comment-o"></i>
                </span>
                <a href="/2018/12/04/ctf基本的文件上传与绕过学习/#comments" itemprop="discussionUrl">
                  <span class="post-comments-count valine-comment-count" data-xid="/2018/12/04/ctf基本的文件上传与绕过学习/" itemprop="commentCount"></span>
                </a>
              </span>
            
          

          
          

          
            <span class="post-meta-divider">|</span>
            <span class="page-pv"><i class="fa fa-eye"></i>
            <span class="busuanzi-value" id="busuanzi_value_page_pv"></span>
            </span>
          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <html><head><meta name="generator" content="Hexo 3.9.0"></head><body><p><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv4bb911yj31hc0u0e81.jpg" alt=""></p>
<a id="more"></a>
<h2 id="绕过客户端校验前台脚本检测扩展名上传webs-hell"><a href="#绕过客户端校验前台脚本检测扩展名上传webs-hell" class="headerlink" title="绕过客户端校验前台脚本检测扩展名上传webs hell"></a>绕过客户端校验前台脚本检测扩展名上传webs hell</h2><h3 id="原理："><a href="#原理：" class="headerlink" title="原理："></a>原理：</h3><p>当用户在客户端选择文件点击上传的时候，客户端还没有向服务器发送任何<br>消息，就对本地文件进行检测来判断是否是可以上传的类型，这种方式称为前台<br>脚本检测扩展名。<br>绕过前台脚本检测扩展名，就是将所要上传文件的扩展名更改为符合脚本检<br>测规则的扩展名，通过 BurpSuite 工具，截取数据包，并将数据包中文件扩展名<br>更改回原来的，达到绕过的目的</p>
<h3 id="实验："><a href="#实验：" class="headerlink" title="实验："></a>实验：</h3><ol>
<li>打开要上传的页面,上传要上传的木马文件lurb.php，点击上传。<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxuoo1fn7aj30re0hjwhm.jpg" alt=""></li>
<li>页面显示错误<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxuopj2ev2j30ou0g8grf.jpg" alt=""></li>
<li>返回上传页面，点击浏览，选择要上传的木马文件lubr.jpg(把lubr.php重命名<br>lubr.jpg)<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxuoq7b9npj30q60gtdiq.jpg" alt=""></li>
<li>上传用burpsuite抓包，将.jpg改为.php,点击’forward’发送数据包，进行绕过。<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxuouj166mj30r50imjuw.jpg" alt=""><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxuov8udekj30r80iln0p.jpg" alt=""><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxuoweonj3j30rg0a5taf.jpg" alt=""><h2 id="绕过-Content-Type-检测文件类型上传"><a href="#绕过-Content-Type-检测文件类型上传" class="headerlink" title="绕过 Content-Type 检测文件类型上传"></a>绕过 Content-Type 检测文件类型上传</h2><h3 id="原理：-1"><a href="#原理：-1" class="headerlink" title="原理："></a>原理：</h3>当浏览器在上传文件到服务器的时候，服务器对所上传文件的Content-Type类型进行检测，如果是白名单允许的，则可以正常上传，否则上传失败。绕过Content–Type文件类型检测，就是用BurpSuite 截取并修改数据包中文件的Content-Type类型，使其符合白名单的规则，达到上传的目的。<h3 id="实验：-1"><a href="#实验：-1" class="headerlink" title="实验："></a>实验：</h3></li>
<li>打开要上传文件的页面，上传木马lubr.php。报错<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxup0z3iunj30rb0kg0wc.jpg" alt=""><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxup1otp04j30r80b5dhl.jpg" alt=""></li>
<li>利用burpsuite抓包更改Content-Type由application/octet-stream改为148<br>image/gif。点击’forward’发送数据包。<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxup4apphxj30n70je0vk.jpg" alt=""><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxup4y5uv2j30n90j641c.jpg" alt=""><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxup5oecwnj30ng0a375i.jpg" alt=""><h2 id="绕过服务器端扩展名检测上传"><a href="#绕过服务器端扩展名检测上传" class="headerlink" title="绕过服务器端扩展名检测上传"></a>绕过服务器端扩展名检测上传</h2><h3 id="原理：-2"><a href="#原理：-2" class="headerlink" title="原理："></a>原理：</h3>当浏览器将文件提交到服务器端的时候，服务器端会根据设定的黑白名单对浏览器提交上来的文件扩展名进行检测，如果上传的文件扩展名不符合黑白名单的限制，则不予上传，否则上传成功。</li>
</ol>
<p>将一句话木马的文件名 lubr.php，改成lubr.php.abc。首先，服务器验证文件扩展名的时候，验证的是.abc，只要该扩展名符合服务器端黑白名单规则，即可上传。另外，当在浏览器端访问该文件时，Apache如果解析不了.abc扩展名，会向前寻找可解析的扩展名，即.php。一句话木马可以被解析，即可通过中国菜刀连接。apache解析文件名从后往前解析</p>
<h3 id="实验：-2"><a href="#实验：-2" class="headerlink" title="实验："></a>实验：</h3><ol>
<li>打开要上传文件的页面，上传木马文件lubr.php。上传报错<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxupby7gvlj30lw0gkjtw.jpg" alt=""><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxupccbbhnj30ng0j3jt6.jpg" alt=""></li>
<li>返回上传页面，点击浏览，选择要上传的木马文件lubr.php.abc(由lubr.php重命名lubr.php.abc)，点击上传<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxupdsgx20j30n90k2tbs.jpg" alt=""><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxupe4pwhrj30n308rq46.jpg" alt=""><h2 id="00截断上传"><a href="#00截断上传" class="headerlink" title="00截断上传"></a>00截断上传</h2><h3 id="原理：-3"><a href="#原理：-3" class="headerlink" title="原理："></a>原理：</h3>利用00截断就是利用程序员在写程序时对文件的上传路径过滤不严格，产生0x00上传截断漏洞。</li>
</ol>
<p>假设文件的上传路径为<a href="http://xx.xx.xx.xx/upfiles/lubr.php.jpg，通过抓包截断将【lubr.php】后面的【.】换成【0x00】。在上传的时候，当文件系统读到【0x00】时，会认为文件已经结束，从而将【lubr.php.jpg】的内容写入到【lubr.php】中，从而达到攻击的目的。" target="_blank" rel="noopener">http://xx.xx.xx.xx/upfiles/lubr.php.jpg，通过抓包截断将【lubr.php】后面的【.】换成【0x00】。在上传的时候，当文件系统读到【0x00】时，会认为文件已经结束，从而将【lubr.php.jpg】的内容写入到【lubr.php】中，从而达到攻击的目的。</a></p>
<h3 id="实验：-3"><a href="#实验：-3" class="headerlink" title="实验："></a>实验：</h3><ol>
<li>打开需要上传的网页，选择需要上传的木马文件‘xxx.php.jpg’上传.<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv2upfq87j30jc0grn2o.jpg" alt=""></li>
<li>burp suite抓包。<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv2vvwd36j30j90ebgsb.jpg" alt=""></li>
<li>单击“hex”标签页，点击【hex】，进入到十六进制源码界面。<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv2x3xj5xj30jd0ea7ia.jpg" alt=""></li>
<li>找到【lubr.php.jpg】对应的十六进制源码，将【lubr.php】后【.】对应的【2e】改为【00】<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv2yq1s4wj30jh0eatmf.jpg" alt=""></li>
<li>点击【forward】，即可成功上传文件<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv2zedp1gj30jd09x40q.jpg" alt=""><h2 id="构造图片木马上传绕过"><a href="#构造图片木马上传绕过" class="headerlink" title="构造图片木马上传绕过"></a>构造图片木马上传绕过</h2><h3 id="原理：-4"><a href="#原理：-4" class="headerlink" title="原理："></a>原理：</h3>一般文件内容验证使用getimagesize()函数检测，会判断文件是否是一个有效的文件图片，如果是，则允许上传，否则的话不允许上传。本实例就是将一句话木马插入到一个【合法】的图片文件当中，然后用中国菜刀远程连接。<h3 id="实验：-4"><a href="#实验：-4" class="headerlink" title="实验："></a>实验：</h3></li>
<li>随便找一个图片，与所要上传的木马放置于同一文件夹下。打开cmd，进入木马所在文件夹<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv33yviy1j30fc0gfdm0.jpg" alt=""></li>
<li>输入copy pic.jpg/b+lubr.php/a PicLubr.jpg，将【lubr.php】插入到【pic.jpg】中。<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv34vu95lj30ee03774l.jpg" alt=""></li>
<li>上传图片木马，并访问。<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv35nkki7j30el04an0z.jpg" alt=""><h2 id="Apache-解析漏洞上传文件"><a href="#Apache-解析漏洞上传文件" class="headerlink" title="Apache 解析漏洞上传文件"></a>Apache 解析漏洞上传文件</h2><h3 id="原理：-5"><a href="#原理：-5" class="headerlink" title="原理："></a>原理：</h3>Apache识别文件类型是从右向左识别的，如果如遇不认识的扩展名会向前一次识别，知道遇到能别<br>的扩展名<h3 id="实验"><a href="#实验" class="headerlink" title="实验"></a>实验</h3></li>
<li>将原本不能上传的xx.php文件更名为xx.php.abc上传即可<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv39b0llbj30f302ijrp.jpg" alt=""><h2 id="Fckeditor漏洞上传webshell"><a href="#Fckeditor漏洞上传webshell" class="headerlink" title="Fckeditor漏洞上传webshell"></a>Fckeditor漏洞上传webshell</h2><h3 id="原理：-6"><a href="#原理：-6" class="headerlink" title="原理："></a>原理：</h3>Fckeditor在2.4.2以下存在一个直接上传任意文件的上传页面，可直接上传webshell<h3 id="实验：-5"><a href="#实验：-5" class="headerlink" title="实验："></a>实验：</h3></li>
<li>打开网站判断是否有fckeditor编辑器出现403禁止访问，说明此目录存在<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3hrtw2lj30f407v0v3.jpg" alt=""></li>
<li>判断fckeditor编辑器版本号，输入：<a href="http://192.168.1.3:8001/FCKeditor/_whatsnew.html，由返回页面可知此fckeditor编辑器版本为2.0" target="_blank" rel="noopener">http://192.168.1.3:8001/FCKeditor/_whatsnew.html，由返回页面可知此fckeditor编辑器版本为2.0</a><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3iu0higj30jd0b5443.jpg" alt=""></li>
<li>此版本fckeditor存在两个上传漏洞页面：<br><a href="/2018/12/04/ctf基本的文件上传与绕过学习/p">FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.as</a><br><a href="">FCKeditor/editor/filemanager/browser/default/connectors/asp/connector.asp?Command=GetFoldersAndFiles&Type=zhang&CurrentFolder=/</a><br>第一个页面是在网站根目录下的userfiles目录下的Image目录下打开一个上传页面，上传的文件都保存在这个目录下；<br>第二是在网站根目录下的userfiles目录下创建一个zhang目录。1.4打开<br><a href="http://192.168.1.3:8001/FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp" target="_blank" rel="noopener">http://192.168.1.3:8001/FCKeditor/editor/filemanager/browser/default/browser.html?type=Image&connector=connectors/asp/connector.asp</a><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3nyydhij30jl0bzq59.jpg" alt=""></li>
<li>00截断上传，先上传一个jpg类型文件，再上传一个asp文件报错。burp suite抓包进行00截断上传。<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3qrxel6j30jh0crae9.jpg" alt=""><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3r20yt8j30ji0cgadx.jpg" alt=""><br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3rapl8kj30jh0cujw5.jpg" alt=""></li>
<li>设置代理，再次上传类型为ASP的文件webshell.asp.jpg(把webshell.asp重命名webshell.asp.jpg即可)，击”upload”按钮<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3vl5am7j30jg0cwq5d.jpg" alt=""></li>
<li>burpsuite 抓到包 进到hex选项卡更改00截断<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3szoovcj30jm0f5gyp.jpg" alt=""></li>
<li>将.jpg的.的hex’2e‘改为00<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3xm40dfj30jh0ex4bk.jpg" alt=""></li>
<li>切换为raw模式，空格变为如图样子，单击“forward”按钮（多单击几次），继续发送请求数据包<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3ypj96uj30jf0f4gs7.jpg" alt=""></li>
<li>切换为history<br>标签，选择截获的数据包，然后再单击“reponse”标签页，发现文件的上传路径为“/UserFiles/Image/”<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv3zj6gjgj30ja0f9qdv.jpg" alt=""></li>
<li>取消浏览器的代理设置，刷新上传页面，可以看到webshell.asp.jpg文件已经上传成功，并命名为webshell.asp。<br><img src="http://ww1.sinaimg.cn/large/006doHETly1fxv40t1m54j30jh0crjt6.jpg" alt=""></li>
</ol>
</body></html>
      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/tags/web/" rel="tag"># web</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/2018/11/14/博客美化/" rel="next" title="博客美化">
                <i class="fa fa-chevron-left"></i> 博客美化
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
              <a href="/2018/12/06/MySQL4/" rel="prev" title="MySQL4">
                MySQL4 <i class="fa fa-chevron-right"></i>
              </a>
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  
    <div class="comments" id="comments">
    </div>
  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            文章目录
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            站点概览
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope="" itemtype="http://schema.org/Person">
            
              <img class="site-author-image" itemprop="image" src="/images/touxiang.jpg" alt="GodPang">
            
              <p class="site-author-name" itemprop="name">GodPang</p>
              <p class="site-description motion-element" itemprop="description">一只一直在努力的胖子</p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/archives">
              
                  <span class="site-state-item-count">23</span>
                  <span class="site-state-item-name">日志</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-categories">
                <a href="/categories/index.html">
                  <span class="site-state-item-count">7</span>
                  <span class="site-state-item-name">分类</span>
                </a>
              </div>
            

            
              
              
              <div class="site-state-item site-state-tags">
                <a href="/tags/index.html">
                  <span class="site-state-item-count">11</span>
                  <span class="site-state-item-name">标签</span>
                </a>
              </div>
            

          </nav>

          
            <div class="feed-link motion-element">
              <a href="/atom.xml" rel="alternate">
                <i class="fa fa-rss"></i>
                RSS
              </a>
            </div>
          

          
            <div class="links-of-author motion-element">
                
                  <span class="links-of-author-item">
                    <a href="https://github.com/GodPang" target="_blank" title="GitHub">
                      
                        <i class="fa fa-fw fa-github"></i>GitHub</a>
                  </span>
                
                  <span class="links-of-author-item">
                    <a href="https://www.jianshu.com/u/c8a45218e240" target="_blank" title="简书">
                      
                        <i class="fa fa-fw fa-book"></i>简书</a>
                  </span>
                
            </div>
          

          
          

          
          
            <div class="links-of-blogroll motion-element links-of-blogroll-block">
              <div class="links-of-blogroll-title">
                <i class="fa  fa-fw fa-link"></i>
                Links
              </div>
              <ul class="links-of-blogroll-list">
                
                  <li class="links-of-blogroll-item">
                    <a href="https://lengjibo.github.io/" title="冷逸" target="_blank">冷逸</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://test482.github.io" title="Eliot's Blog" target="_blank">Eliot's Blog</a>
                  </li>
                
                  <li class="links-of-blogroll-item">
                    <a href="https://prontosil.club/" title="百浪多息" target="_blank">百浪多息</a>
                  </li>
                
              </ul>
            </div>
          

          <div id="music163player">
    <iframe frameborder="no" border="0" marginwidth="0" marginheight="0" width="330" height="86" src="//music.163.com/outchain/player?type=2&id=38592976&auto=1&height=66"></iframe>
</div>

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#绕过客户端校验前台脚本检测扩展名上传webs-hell"><span class="nav-number">1.</span> <span class="nav-text">绕过客户端校验前台脚本检测扩展名上传webs hell</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#原理："><span class="nav-number">1.1.</span> <span class="nav-text">原理：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#实验："><span class="nav-number">1.2.</span> <span class="nav-text">实验：</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#绕过-Content-Type-检测文件类型上传"><span class="nav-number">2.</span> <span class="nav-text">绕过 Content-Type 检测文件类型上传</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#原理：-1"><span class="nav-number">2.1.</span> <span class="nav-text">原理：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#实验：-1"><span class="nav-number">2.2.</span> <span class="nav-text">实验：</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#绕过服务器端扩展名检测上传"><span class="nav-number">3.</span> <span class="nav-text">绕过服务器端扩展名检测上传</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#原理：-2"><span class="nav-number">3.1.</span> <span class="nav-text">原理：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#实验：-2"><span class="nav-number">3.2.</span> <span class="nav-text">实验：</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#00截断上传"><span class="nav-number">4.</span> <span class="nav-text">00截断上传</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#原理：-3"><span class="nav-number">4.1.</span> <span class="nav-text">原理：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#实验：-3"><span class="nav-number">4.2.</span> <span class="nav-text">实验：</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#构造图片木马上传绕过"><span class="nav-number">5.</span> <span class="nav-text">构造图片木马上传绕过</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#原理：-4"><span class="nav-number">5.1.</span> <span class="nav-text">原理：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#实验：-4"><span class="nav-number">5.2.</span> <span class="nav-text">实验：</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Apache-解析漏洞上传文件"><span class="nav-number">6.</span> <span class="nav-text">Apache 解析漏洞上传文件</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#原理：-5"><span class="nav-number">6.1.</span> <span class="nav-text">原理：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#实验"><span class="nav-number">6.2.</span> <span class="nav-text">实验</span></a></li></ol></li><li class="nav-item nav-level-2"><a class="nav-link" href="#Fckeditor漏洞上传webshell"><span class="nav-number">7.</span> <span class="nav-text">Fckeditor漏洞上传webshell</span></a><ol class="nav-child"><li class="nav-item nav-level-3"><a class="nav-link" href="#原理：-6"><span class="nav-number">7.1.</span> <span class="nav-text">原理：</span></a></li><li class="nav-item nav-level-3"><a class="nav-link" href="#实验：-5"><span class="nav-number">7.2.</span> <span class="nav-text">实验：</span></a></li></ol></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>
    


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; 2018 &mdash; <span itemprop="copyrightYear">2020</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">GodPang</span>

  
</div>


  <div class="powered-by">由 <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a> 强力驱动</div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">主题 &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Pisces</a> v5.1.4</div>



  <div class="footer-custom">Hosted by <a target="_blank" rel="external nofollow" href="https://pages.github.com/">GitHub Pages</a></div>


        
<div class="busuanzi-count">
  <script async src="//busuanzi.ibruce.info/busuanzi/2.3/busuanzi.pure.mini.js"></script>

  
    <span class="site-uv">
      <i class="fa fa-user"></i>
      <span class="busuanzi-value" id="busuanzi_value_site_uv"></span>
      
    </span>
  

  
    <span class="site-pv">
      <i class="fa fa-eye"></i>
      <span class="busuanzi-value" id="busuanzi_value_site_pv"></span>
      
    </span>
  
</div>








        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
          <span id="scrollpercent"><span>0</span>%</span>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  











  
  
    <script type="text/javascript" src="/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/lib/canvas-nest/canvas-nest.min.js"></script>
  


  


  <script type="text/javascript" src="/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/motion.js?v=5.1.4"></script>



  
  


  <script type="text/javascript" src="/js/src/affix.js?v=5.1.4"></script>

  <script type="text/javascript" src="/js/src/schemes/pisces.js?v=5.1.4"></script>



  
  <script type="text/javascript" src="/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  










  <script src="//cdn1.lncld.net/static/js/3.0.4/av-min.js"></script>
  <script src="//unpkg.com/valine/dist/Valine.min.js"></script>
  
  <script type="text/javascript">
    var GUEST = ['nick','mail','link'];
    var guest = 'nick,mail,link';
    guest = guest.split(',').filter(item=>{
      return GUEST.indexOf(item)>-1;
    });
    new Valine({
        el: '#comments' ,
        verify: false,
        notify: false,
        appId: 'RAQiIXnddbLLbBRiBcDuJo3j-gzGzoHsz',
        appKey: 'rhBtL6nW6zYrDqLcVsPX4M51',
        placeholder: '大佬勿喷，文明交流',
        avatar:'mm',
        guest_info:guest,
        pageSize:'10' || 10,
    });
  </script>



  





  

  

  

  
  

  

  

  

<!-- 页面点击小红心 -->
<script type="text/javascript" src="/js/src/clicklove.js"></script>

</body>
</html>
